1. SAST Online
  2. Application Security News and Articles
  3. TDL004 | Understanding Microsoft Zero Trust DNS with Aditi Patange
Authenticate your profile to see activity

TDL004 | Understanding Microsoft Zero Trust DNS with Aditi Patange

Summary

In this episode, David Redekop and co host Francios Driessen interview Aditi Patange from Microsoft. The conversation focuses on the evolution of cybersecurity, on the development and importance of zero trust DNS and on Aditi’s journey from computer engineering to a mission to protect the digital world. This is a powerful reminder that the best technology is built by people with a purpose.

Aditi explains that zero trust DNS, a new enterprise security feature in Windows 11, blocks all outbound connections by default and only allows connections resolved by a trusted DNS server or those explicitly configured as trusted by an IT administrator. The motivation for this effort, she says, began in 2021 with the U.S. government’s executive order on cybersecurity, which aimed to secure government networks without TLS termination. The guests discuss how many legacy applications that use direct IP address connections or host files broke during the testing of this new feature. Aditi believes this “breaking” is a positive outcome as it forces organizations to modernize and secure their applications.

Understanding Microsoft Zero Trust DNS with Aditi Patange | The Defender's Log

TL;DR

  • Zero Trust DNS: Microsoft’s new enterprise security feature, Zero Trust DNS, is a Windows 11 feature that blocks all outbound connections by default, only allowing those resolved by a trusted DNS server or explicitly configured as trusted.
  • The Mission: The creator of the feature, Aditi Patange, is motivated by the mission to secure the digital world, noting that securing networks in places like hospitals can be a matter of saving lives.
  • Breaking Things to Get Better: The implementation of Zero Trust DNS deliberately broke legacy applications that used host files or direct IP connections, which the team saw as a positive outcome that forced organizations to modernize their systems and close security loopholes.
  • Preventing Phishing Attacks: Zero Trust DNS can prevent phishing attacks by blocking malicious links or IP address connections.
  • No TLS Termination: The feature was created in response to a U.S. government cybersecurity executive order that required a solution without TLS termination, as terminating TLS connections creates a single, hyper-valuable target for attackers.
  • Call to Action: The message to defenders is to stop using Port 53 DNS and move to some form of encrypted DNS.

Links

View it on YouTube: https://www.youtube.com/watch?v=-BkZ0WKjEzI

Listen to the episode on your favourite podcast platform:

Apple
https://podcasts.apple.com/us/podcast/understanding-microsoft-zero-trust-dns-with-aditi-patange/id1829031081?i=1000725162111

Spotify
https://open.spotify.com/episode/2wTsh6kBha7jRzxULoplMs

Amazon Music
https://a.co/d/dllrGs5

ADAMnetworks
https://adamnet.works

Full Transcript

Chapter 1: Introductions

Welcome to the Defender’s Log

David: Welcome back to the Defender’s Log. I am so enthusiastic to have Aditi Patange from Microsoft, as well as Francois Driessen right here from ADAMnetworks. It’s going to be a three-way version of the Defender’s Log today. Welcome, Francois. Welcome, Aditi.

David: On this podcast, I really enjoy speaking and interviewing folks who live in the defender space. We’ve had some really cool guests. Aditi, the reason we asked you to come on here is because we got to know you at Microsoft. In fact, we met at RSA regarding Microsoft Zero Trust DNS. And this is an exciting space, obviously, for all of us.

Meet the Guests

David: But, I really would like to just start today by having a little bit of background on you. Who is Aditi?

Aditi: Thank you for the space, David. I’m really happy and excited to be here with you. It’s always a pleasure to talk to you and Francois and hear about the awesome, cool things that you’re doing and how we can collaborate to defend this space. Like you talk about in your previous blogs, it is really a defender’s place, so I’m really excited to learn more, work with people, and really feel honored to be here with you to talk about this.

Aditi: A little bit of background on myself. I am Aditi. I did my bachelor’s in computer engineering. I’ve always been excited about computers and how they work and programming. I used to be a software engineer.

Chapter 2: The Defender’s Journey

Getting into Technology: A Family Affair

David: So let’s do a little bit more of the human element here, Aditi. Why is it that you got into technology? What was the first time that you realized, “Hey, there’s a future for me, and it’s somehow involved with ones and zeros?”

Aditi: Wow. I wish there was a very good story for this, but both of my parents are computer scientists, so I grew up in a household where both of my parents are writing code. And as soon as my school started offering a CS class, they were like, “You should sign up for this.” I come from an Indian family where the only two career options are either you become a doctor or you become an engineer. Those are the only two options we ever get.

Aditi: And, I don’t think I’m cut out for a doctor, so engineer it was. When I took my first CS class, it was mind-blowing. We started out with assembly, and just seeing that assembly code being put out, it actually does edit some bits, and then you see something do an addition on a machine. You see it subtract some things. Even those basic things, working with those processors, I was excited. I was like, “Oh, this is cool.”

Aditi: I started writing in C and C++, and that was great. But then when I moved to Python, I was like, “Wow, this is mind-blowing. I can do so many more things with such little code.” Throughout that summer, I just fell in love with it before realizing that I was in love with it.

From Software Engineer to Cybersecurity Defender

David: At what stage did you become a defender? I mean, you’re sitting smack-bang in the middle of probably one of the most powerful security aspects ever added to Windows. At what stage did your life take a turn for you to end up right in the middle of the core of what could be security for the Windows world?

Aditi: I do have to say a lot of it was definitely luck. When I was trying to switch roles and become a product manager, this happened to be the first role that I interviewed for. I spoke to Tommy Jensen, who was my first interviewer and later became my mentor and good friend, and he really sold me on it.

Aditi: Even within our first interview, he helped me understand the importance of networking. He spoke about zero trust, DNS, and what it does. I was like, “Okay, this sounds cool. This seems interesting. This seems important.” I always knew that I wanted to work on something important. For me, it’s very important to understand the “why” behind something. If I don’t understand the why, I’m not as motivated to work on it. And I think he did a phenomenal job of selling me on it.

Aditi: Still, it was like, how much do you really know about a position when you’re interviewing? When I got here, I thanked my stars that I landed in this place. It’s been a few years, but it still feels very recent. I transitioned into product management, and that was also the time when I ventured into the space of cybersecurity and network security. I started just learning so much more about it. It has been exciting.

The Mission: Securing Our Digital World

Aditi: I really like this space because I think it really gives me a mission to work towards. Everything in this world is getting to a digital space. You talk to any governments, you talk to enterprises, everybody wants to go digital. But when you keep someone’s data in a data center, when you’re transmitting data from one device to the other, what if it gets into the wrong hands? What happens?

Aditi: There was this one realization one day that my mentor, Tommy Jensen, gave me. He gave me this analogy that really made me think about how important this work is. He told me that if networks go down in a hospital, how bad could that be? So when we are making sure that we are securing the networks, we’re making sure that they function, we are actually saving lives. And we don’t know that, but we are.

Francois: It’s really cool to hear that you have a similar thing that gets you up out of bed in the morning, to know you get to do something that really affects people out in the real world.

David: I had never actually considered the importance of it to that level, but you’re not wrong.

Chapter 3: Deep Dive into Zero Trust DNS

What is Zero Trust DNS?

David: On this topic of zero trust, I’m really curious what you found would be needing special attention because it broke things.

Aditi: A lot of things break. I think a lot of people hearing this may not be familiar with it, so I’ll dive into Zero Trust DNS, the feature I work on, slightly a bit more before I dive into what broke.

Aditi: So, Zero Trust DNS is a new feature within Windows 11. It’s an enterprise security feature that blocks all outbound connections by default. It only allows connections that were resolved by your trusted DNS server or things that were explicitly configured as trusted or allowed by your IT admin.

Breaking Things to Make Them Better

David: I think we’ve lived in this space where when you apply zero trust in the real world, at first, you break more things than you prevent from breaking. And that’s not to say that it’s not worth it, because sometimes things have to get momentarily worse to get better.

Aditi: When we do something like this, we’re inherently relying on DNS resolutions as being the point of discovery for any given endpoint. What we learned in the process was a lot of legacy applications shoot straight by IP address connections. We’re like, “Why?” And those are the first ones that broke.

Aditi: There were many others that were using host files to discover IP addresses. And as a part of the design, we wanted to make it very transparent and very secure. So we said, “No, we don’t look at host files. You can’t do that anymore.” And people were like, “Are you serious?”

Aditi: So those were some things we saw breaking, but we were also very happy with it. It was nice that all of those legacy applications were brought up to the surface. People had a chance to review them and modernize them in a way that they work well in our new networks and they’re more secure. So I think breaking sometimes can be good. Like you said, it needs to break before it becomes better.

The Rationale: No More Host Files

David: I love the fact that you chose on purpose to not honor the host’s file or any other source because the whole concept of zero trust is that there is one source of truth. And if that means that an attacker that may attempt to modify the local host file now has that avenue neutered, I mean, that is wonderful. That is a good thing.

David: I can also see how a lot of application vendors or even end users or lazy IT admins might not have liked that because now their band-aid is effectively ripped off. Now it hurts. Now it’s bleeding. Like, “What do I do about this?” And our answer is, “Well, let it heal properly so that you don’t need a band-aid anymore.”

David: I’m sure you’ve had a few conversations with folks around that. Did you have anybody that remained resistant at all?

Aditi: I think people are usually in two extremes of the spectrum. I find people who really care about security and who are all in on the zero trust game. So they’re like, “Oh wow, you don’t look at host files anymore. That is great. That’s one less thing for me to worry about and one less attack vector that I have to consider in my zero trust architecture.”

Aditi: And then there are others who would, like you said, be concerned about host files, but then those people are already just using port 53 DNS, so they haven’t even moved on to encrypted DNS, and then Zero Trust DNS would be a step beyond that. So for them, it’s very, very early in the journey, and they probably haven’t even thought about it enough to have such questions.

A New Security Posture

David: What you’re actually doing with Zero Trust DNS is you are taking a number of security posture steps all at once. It’s like you’ve got this staircase ahead of you. At the top, it’s more security. At the bottom is your current state. And then you gotta basically be very, very tall, have very long legs, or be very agile so that you can take all those steps at the same time.

David: Someone has to be enthusiastic, or someone has to be forced to do that today. But I think as time goes on and as attacks continue to happen, this will change. I suspect you guys are probably doing the same thing that we’re doing. Every time we see a well-publicized attack, we’re like, “Well, how would we have prevented that?”

Chapter 4: The Real-World Impact

Analyzing Attacks and Preventing Breaches

David: Is there any one particular well-publicized attack that you’ve looked at and just been shaking your head?

Aditi: For our team, every time I come across a phishing attack, I would say that is very exciting to me. It’s like, “Oh yeah, if I had this phishing email with ZTDS enabled on my device, the link wouldn’t have worked.” The straight IP address connection would be blocked, or my server would know that it’s not supposed to resolve this name, and this attack would’ve been prevented.

Aditi: So I think phishing is always one that gets me. I can’t believe even in today’s world, with all the tools we have, so much of that is happening. And I always see phishing as the first gateway for people to get into your machine and then broaden their reach within your environment. So, I always look at that as the first step, and it’s very nice to see that, yeah, we could have prevented it if only you started using us and thinking about security.

Solving the Phishing Problem

David: I am very curious if you had the same experience that we had. When you sit down with a CISO and you tell them, “Hey, we solved phishing,” what did their faces look like?

Aditi: They’re like, “Oh, okay, can you tell me more?” What is always funny is because the concept of Zero Trust DNS, we can explain it in two or three sentences, which is not too difficult. It’s very easy to understand and grasp. The beauty of the solution is that it’s so simple. And even a CISO who may not be very into networking, who may not have a very deep knowledge of networking, is able to understand that.

Aditi: Whereas I’ve seen many other solutions out there in the market which sound so complex. It sounds like a bunch of marketing jargon put together, but you don’t really know it. It feels like a black box. So in my conversations with CISOs, it has been so effective because they’re able to understand what we are doing under the hood. And that really helps me earn their trust.

Simplicity, Elegance, and Adoption Challenges

David: I can’t forget this episode where we were at Billington. We met Sammy Curry there, a senior official for cybersecurity with the government of Canada. He knows his space. He gave us 30 seconds. I explained to him the Zero Trust DNS approach, and his response was, “It’s so simple. It’s so elegant. Why doesn’t everybody do this?”

David: And that is the typical response that we get over and over again from people who have that light switch turned on for them. And then somehow after that, there’s a voice in them that says, “But wait a minute, we would be seeing this everywhere by now if this was real.” And so we’re still dealing with that phase when a new idea comes to market. But your competition, so to speak, is, “But we’ve always done it this way,” which gets in the way. It takes time.

Chapter 5: The Genesis of Zero Trust DNS at Microsoft

Motivation from the U.S. Government

David: Tell us about what the motivation was to begin with by Microsoft to do this.

Aditi: That’s a great question. This effort actually started back in 2021, I want to say, by my mentor, Tommy Jensen, who is actually the main person behind Zero Trust DNS. It was his idea, and it started with the U.S. Government’s Executive Order on cybersecurity. They were really keen on trying to secure their government networks.

Aditi: Following up in 2022, more prescriptive guidance around what is expected from DNS came out as a part of M-22-09. Since then, our team kept talking with CISA and trying to clarify the requirements, and it turned out they wanted to do a couple of things.

  1. They wanted to make sure that all of the DNS traffic within their agency was encrypted.
  2. They wanted to make sure that there was an authoritative log maintained somewhere about all of the resolutions being made.
  3. They wanted to do domain-name-based segmentation to allow or block connections.
  4. They wanted to do all of this without TLS termination.

The Critical Requirement: No TLS Termination

Aditi: That was the interesting bit because until then, back in 2022, when we researched if there was any existing solution that could give them all of this, the answer turned out to be no. So that kind of led to the genesis of Zero Trust DNS. Every solution we could find at that point did the first three things by terminating TLS.

David: Why do you think it was such a big issue for them to not have TLS termination?

Aditi: I can aggregate a bunch of different conversations that I had, and it all comes down to this point: if you are terminating TLS connections on one node within your deployment that is not the actual source or destination endpoint, then you’re essentially creating a honeypot situation. For an attacker, if they compromise that one node, they know absolutely everything that is happening in your network. We call that a hyper-valuable target.

Aditi: It’s sad that I see so many solutions still doing that. Even though at a policy level people are able to understand it, at a practical level, it is becoming very difficult because a lot of IT admins don’t want to move away from it. As you said earlier, they’re conditioned to “this is how things have been done.” It’s a mindset shift that needs to happen.

From Government Mandate to Enterprise Value

Aditi: So it started with the U.S. government, but then a lot of enterprises also started seeing value in this because, like you said, David, it’s simple. It’s elegant. And because it is baked right into Windows, it’s something that doesn’t even require them to install any new agents. It’s all integrated into the operating system.

Aditi: But that did come with its own set of questions, like, “Okay, we like this idea, but it only works on Windows, and we have other devices. We have Apple, we have Google devices. What do we do with those?” And because we built it for Windows, we didn’t have a good answer for that. Speaking with you, it was always great to know, hey, maybe if they couple that with Don’t Talk to Strangers, then they can have this level of protection across their fleet.

Chapter 6: Byproducts and Future Challenges

Unexpected Benefits: Ad Blocking and P2P Neutralization

David: Have you had any particular instances where you saw an additional value of doing Zero Trust DNS that you hadn’t considered before?

Aditi: I’m pretty sure that some of the big techs may not like this answer, but when I used ZTDS and I set my trusted DNS server as an ad-blocking server, my searches became so beautiful. It’s like, no ads. Are you really kidding me? For me, Zero Trust always came with a security value, and then it was like, “Oh wow, ad blocking could be a feature.”

David: Another byproduct for us was that pesky peer-to-peer (P2P) networking, that otherwise was difficult to block, was solved. As cool as the innovation is, when it gets used more by bad guys than good guys, then you start questioning the overall value.

The Roadmap: Integration and Interoperability

David: If we can switch gears for just a moment, Aditi, I was wondering if you have had any experience with trying to prioritize or make it interoperate with other endpoint protection that’s a third party, like MDR or your own antivirus, Windows Defender?

Aditi: Yeah, so that’s on our roadmap. We are very early in our journey for Zero Trust DNS; it is still in public preview. We are excited about expanding and integrating with different solutions. We are thinking about getting it integrated with different SIEMs so that you can have aggregated logs and intelligence in one place. We want to make sure that if people use it with SASEs, that works.

Aditi: We have a long list of items on our radar, but we have very limited funding to make that happen. So at least in the initial V1 design that we have, those are out of scope, but definitely something that keeps me up at night. Without all of those integrations, it’s going to feel like a standalone feature that works in its own silo. To actually function in an enterprise setting, it needs to be able to integrate with existing solutions that IT admins are using.

Under the Hood: Kernel-Mode Implementation

David: Does this in any way reduce the need for deep kernel hooks, or how did you handle that concern?

Aditi: It is getting harder to write new kernel-mode drivers in Windows, but ZTDS is definitely implemented using the Windows Filtering Platform. It is a net new kernel-mode driver. This is going all the way down to the kernel just because of the way we need it to work and the level of granularity we need to have to be able to block everything that’s leaving a device. It’s just difficult to do anything of that sort from the user mode.

Aditi: Although at Microsoft, we do have an effort where we are actively hearing about the migration from kernel to user mode, and that is something that we are actively working on.

The Weight of Responsibility: 1.4 Billion Devices

David: It makes sense that the larger the risk and the larger the user base is, the more careful you have to be.

Aditi: That is so true. Internally, we have this very extensive mechanism for trying to ship code because we have to be careful. Any one line of code that is messed up can bring down the internet for 1.4 billion Windows devices.

Aditi: So we have a sense of responsibility. Like they say, with great power comes great responsibility, and our team feels that every single day. If something goes wrong, then imagine the world coming crashing down. We have rigorous mechanisms to ensure everything we do is tested internally across Microsoft’s massive organization. Then we still have flighting rings in which we slowly roll it out to the entire world. But we do make sure that whatever we write, it continues to work.

Chapter 7: Personal Reflections and a Call to Action

The Core Driver: Protecting People

Francois: What’s the core driver for you? What’s the primary aim that you are chasing with the ZTDS team?

Aditi: My goal is to make sure that the internet continues working in a secure fashion on all of these devices. I think about mundane daily scenarios when my grandma is using her laptop. I want to make sure that she’s protected, and I want to make sure that bad actors aren’t trying to exploit her. They’re not trying to exfiltrate her financial information. They’re not trying to steal her health records.

Aditi: And at a broader scale, we think about government agencies, hospitals, financial agencies, and armies that have very critical data. I want to make sure that within the purview of my work, I don’t create any loopholes for bad actors to get in, exploit this, and put everybody at risk. To know that my work will be able to protect people against threats, to know that anything good I do would be running at that level of scale and provide protection to my near and dear ones, my neighbors, my fellow citizens… that is very heartwarming. That really keeps me going every single day.

A Message for the World: Don’t Take Infrastructure for Granted

David: Is there any one message that Aditi would like the world to know?

Aditi: Wow, that’s a tough question. I would say that I want the world to not take infrastructure for granted. I want them to understand that the fundamentals are everything. When we build a house, we really secure the foundation of the house. Our network is that foundation. When we think about flashy technologies, let’s not forget about that foundation. Let’s make sure that the foundation is still solid, that it works, and it’s secure because otherwise, anything you build on top of it is just going to come crashing down like a house with a weak foundation.

A Message for Defenders: It’s Time to Evolve

Francois: And the message that you have for CISOs or defenders out there that need the technology that you guys are building? What would you say to them?

Aditi: Talk to me. No, but honestly, if you’re using Port 53 DNS, really do reconsider how you are deploying your networks today. You’re really exposing yourself to a lot of risk there, with bad actors having full visibility into your network. So please do consider moving on to thinking about encrypted DNS. I’m sure that the first step is moving to encrypted DNS, and then once you are able to do that, then there’s a wide variety of things like Zero Trust DNS. But honestly, if you’re on Port 53, it’s high time to move to some form of encrypted DNS.

Chapter 8: Conclusion

Final Thoughts and Future Collaboration

David: Well, I couldn’t have said it better. Aditi, thank you so much for joining us today, and we look forward to collaborating with you and Microsoft in the future.

Aditi: Absolutely. It was such a pleasure being here. Thank you for inviting me, David. It’s always a pleasure talking to you and Francois, so thank you for having me, and I am also excited to see all of the new things that we can do together.

David: Thank you. Okay, bye for now.

1 post - 1 participant

Read full topic

The post TDL004 | Understanding Microsoft Zero Trust DNS with Aditi Patange appeared first on Security Boulevard.

09 September 2025


>>More